Frequently Asked Question

What is the intent of PCI DSS Requirement 3.4.1?

The intent of this requirement is to address the acceptability of disk encryption for rendering cardholder data unreadable. Disk encryption encrypts data stored on a computer's mass storage and automatically decrypts the information when an authorized user requests it. Disk-encryption systems intercept operating system read and write operations and carry out the appropriate cryptographic transformations without any special action by the user other than supplying a password or pass phrase at the beginning of a session. Based on these characteristics of disk encryption, to be compliant with this requirement, the disk-encryption method cannot:
 
1. Use the same user account authenticator as the operating system, or
2. Use a decryption key that is associated with or derived from the system's local user account database or general network login credentials.
Last updated: May 2014
Originally published: April 2012
Article Number: 1084

Featured FAQ Articles